Under pressure from regulatory requirements, professional standards, and client expectations—not to mention increasingly sophisticated hackers—CPA firms are emphasizing efforts to protect the privacy of confidential information under their purview. The following steps can help firms mitigate the risk of a reputation-damaging data breach:
Identify and classify the types of information the firm maintains. Firms should understand the information they keep and define what types of information should be protected. In most cases, firms can use a scheme of three to four categories (e.g., restricted/sensitive, confidential, internal use, and public) to classify information and prioritize protection efforts. Challenges include identifying other locations, such as audit work papers, that can contain nonpublic information.
Assess your current controls and the threats facing high-risk data. Consider threats from external and internal perspectives. Many firms, based on media accounts, recognize threats caused by potential hacker and malware efforts. However, employees can inadvertently “leak data” by misplacing files, using personal storage media (such as smartphones and flash drives), or transferring data outside the firm.
Upgrade protection strategies as needed. To protect themselves and their clients’ information, more firms are developing and implementing policies addressing client information, automated monitoring of access and use of information, and employee-awareness training. Technical solutions such as monitoring and data-leakage protection software may also be considered. In light of the sophistication of evolving threats, cyber insurance frequently is sought.
Review the impact of vendors and third-party service providers. With the advent of cloud computing, many firms now rely on third parties to host, manage, and protect their data. Although functions can be contractually assigned to a third party, accountability for data protection cannot. Firms should address the issue of accountability by ensuring that their contracts with third-party providers include data protection expectations such as service-level agreements that hold the service provider to the same standards of information protection as the firm.
Know the requirements of applicable data privacy protection laws and regulations. Firms need to be aware of the implication of regulations such as the Gramm-Leach-Bliley Act (see aicpa.org/privacy) and should also be cognizant of the data breach laws in the states where their clients reside. Many state data breach notification laws are applicable based on where the individual resides rather than on where the firm does business or where the breach occurred.
Destroy sensitive or confidential data when it is no longer needed. At the end of the retention period, the information should be returned to the client or properly destroyed. Paper documents should be shredded with a cross-cut shredder. Before disposing of devices, remove all electronic data using methods such as secure data-wiping software.
Develop, implement, and test an incident-response plan. Privacy breaches can occur despite the best prevention efforts. Creation of an incident-response plan enables firms to develop optimum strategies to respond on several fronts, including regulatory and public relations.
(The AICPA/Canadian Institute of Chartered Accountants Privacy Task Force has created numerous tools, ranging from high-level questionnaires to Generally Accepted Privacy Principles, to help firms and their clients manage privacy risks. Access these tools at aicpa.org/privacy.)
—By Joel Lanz, CPA/CITP, (
) an adjunct professor at the State University of New York–College
at Old Westbury and chair of the AICPA CITP Credential Committee,
and Nancy A. Cohen, CPA/CITP, (
) an AICPA manager.